2
0

auth-remote-user.txt 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125
  1. =========================================
  2. How to authenticate using ``REMOTE_USER``
  3. =========================================
  4. This document describes how to make use of external authentication sources
  5. (where the web server sets the ``REMOTE_USER`` environment variable) in your
  6. Django applications. This type of authentication solution is typically seen on
  7. intranet sites, with single sign-on solutions such as IIS and Integrated
  8. Windows Authentication or Apache and `mod_authnz_ldap`_, `CAS`_, `WebAuth`_,
  9. `mod_auth_sspi`_, etc.
  10. .. _mod_authnz_ldap: https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html
  11. .. _CAS: https://www.apereo.org/projects/cas
  12. .. _WebAuth: https://uit.stanford.edu/service/authentication
  13. .. _mod_auth_sspi: https://sourceforge.net/projects/mod-auth-sspi
  14. When the web server takes care of authentication it typically sets the
  15. ``REMOTE_USER`` environment variable for use in the underlying application. In
  16. Django, ``REMOTE_USER`` is made available in the :attr:`request.META
  17. <django.http.HttpRequest.META>` attribute. Django can be configured to make
  18. use of the ``REMOTE_USER`` value using the ``RemoteUserMiddleware``
  19. or ``PersistentRemoteUserMiddleware``, and
  20. :class:`~django.contrib.auth.backends.RemoteUserBackend` classes found in
  21. :mod:`django.contrib.auth`.
  22. Configuration
  23. =============
  24. First, you must add the
  25. :class:`django.contrib.auth.middleware.RemoteUserMiddleware` to the
  26. :setting:`MIDDLEWARE` setting **after** the
  27. :class:`django.contrib.auth.middleware.AuthenticationMiddleware`::
  28. MIDDLEWARE = [
  29. "...",
  30. "django.contrib.auth.middleware.AuthenticationMiddleware",
  31. "django.contrib.auth.middleware.RemoteUserMiddleware",
  32. "...",
  33. ]
  34. Next, you must replace the :class:`~django.contrib.auth.backends.ModelBackend`
  35. with :class:`~django.contrib.auth.backends.RemoteUserBackend` in the
  36. :setting:`AUTHENTICATION_BACKENDS` setting::
  37. AUTHENTICATION_BACKENDS = [
  38. "django.contrib.auth.backends.RemoteUserBackend",
  39. ]
  40. With this setup, ``RemoteUserMiddleware`` will detect the username in
  41. ``request.META['REMOTE_USER']`` and will authenticate and auto-login that user
  42. using the :class:`~django.contrib.auth.backends.RemoteUserBackend`.
  43. Be aware that this particular setup disables authentication with the default
  44. ``ModelBackend``. This means that if the ``REMOTE_USER`` value is not set
  45. then the user is unable to log in, even using Django's admin interface.
  46. Adding ``'django.contrib.auth.backends.ModelBackend'`` to the
  47. ``AUTHENTICATION_BACKENDS`` list will use ``ModelBackend`` as a fallback
  48. if ``REMOTE_USER`` is absent, which will solve these issues.
  49. Django's user management, such as the views in ``contrib.admin`` and
  50. the :djadmin:`createsuperuser` management command, doesn't integrate with
  51. remote users. These interfaces work with users stored in the database
  52. regardless of ``AUTHENTICATION_BACKENDS``.
  53. .. note::
  54. Since the ``RemoteUserBackend`` inherits from ``ModelBackend``, you will
  55. still have all of the same permissions checking that is implemented in
  56. ``ModelBackend``.
  57. Users with :attr:`is_active=False
  58. <django.contrib.auth.models.User.is_active>` won't be allowed to
  59. authenticate. Use
  60. :class:`~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend` if
  61. you want to allow them to.
  62. If your authentication mechanism uses a custom HTTP header and not
  63. ``REMOTE_USER``, you can subclass ``RemoteUserMiddleware`` and set the
  64. ``header`` attribute to the desired ``request.META`` key. For example::
  65. from django.contrib.auth.middleware import RemoteUserMiddleware
  66. class CustomHeaderMiddleware(RemoteUserMiddleware):
  67. header = "HTTP_AUTHUSER"
  68. .. warning::
  69. Be very careful if using a ``RemoteUserMiddleware`` subclass with a custom
  70. HTTP header. You must be sure that your front-end web server always sets or
  71. strips that header based on the appropriate authentication checks, never
  72. permitting an end-user to submit a fake (or "spoofed") header value. Since
  73. the HTTP headers ``X-Auth-User`` and ``X-Auth_User`` (for example) both
  74. normalize to the ``HTTP_X_AUTH_USER`` key in ``request.META``, you must
  75. also check that your web server doesn't allow a spoofed header using
  76. underscores in place of dashes.
  77. This warning doesn't apply to ``RemoteUserMiddleware`` in its default
  78. configuration with ``header = 'REMOTE_USER'``, since a key that doesn't
  79. start with ``HTTP_`` in ``request.META`` can only be set by your WSGI
  80. server, not directly from an HTTP request header.
  81. If you need more control, you can create your own authentication backend
  82. that inherits from :class:`~django.contrib.auth.backends.RemoteUserBackend` and
  83. override one or more of its attributes and methods.
  84. .. _persistent-remote-user-middleware-howto:
  85. Using ``REMOTE_USER`` on login pages only
  86. =========================================
  87. The ``RemoteUserMiddleware`` authentication middleware assumes that the HTTP
  88. request header ``REMOTE_USER`` is present with all authenticated requests. That
  89. might be expected and practical when Basic HTTP Auth with ``htpasswd`` or
  90. similar mechanisms are used, but with Negotiate (GSSAPI/Kerberos) or other
  91. resource intensive authentication methods, the authentication in the front-end
  92. HTTP server is usually only set up for one or a few login URLs, and after
  93. successful authentication, the application is supposed to maintain the
  94. authenticated session itself.
  95. :class:`~django.contrib.auth.middleware.PersistentRemoteUserMiddleware`
  96. provides support for this use case. It will maintain the authenticated session
  97. until explicit logout by the user. The class can be used as a drop-in
  98. replacement of :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
  99. in the documentation above.